Update user Devise via API with security

0

In an app I need to edit a user's user name, email, phone, and password (for the optional password, I found this solution ).

But this change is made via API. Since it involves data change I need to know how to make this change safely. If it were only on the web I would use current_user which would guarantee that only the logged in user would change their own data. But in this case I do not know how it works.

    
asked by anonymous 25.03.2014 / 21:24

1 answer

1

I recommend that you take a TOKEN approach to user authentication via the API (note that it is not related to Devise's old TokenAuthenticable).

Your model User will have a TOKEN which will be a random code. At each API request you pass this TOKEN to ensure that it is the true user.

Rails already have a method to verify this type of authentication: authenticate_with_http_token

If you want to increase security, you can also provide a APP_SECRET that will be used to encrypt your token, using an algorithm.

This APP_SECRET will not be sent in communication (HTTP calls), but it must be stored on both the server and the client.

References that may help you:

link link

    
01.04.2014 / 21:40